Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Git Commit Signing: Code we can trust?

Git Commit Signing: Code we can trust?

When we install software on our computers we have to trust the package maintainers that it's secure.

If someone slips a hack into homebrew all of our machines could become vulnerable.

But what about our own code? * When we deploy to production, how do we know we can trust it? * What if someone pushes a hack to our github? * Will CI still push it to production?

It turns out Git has a cool feature that can help us trust the code we deploy. We'll discuss Git Commit Signing, how it can help us, and what downsides it may have.

Talk given at the London Ruby User Group (LRUG) at Skillmatter in London on Monday 12th February 2018

Matthew Rudy Jacobs

February 12, 2018
Tweet

More Decks by Matthew Rudy Jacobs

Other Decks in Technology

Transcript

  1. git commit signing
    code you can trust?
    Matthew Rudy Jacobs @ LRUG
    Monday 12th February 2018

    View full-size slide

  2. @MATTHEWRUDY

    View full-size slide

  3. SECURING DEVOPS

    View full-size slide

  4. HTTPS://MIKEGERWITZ.COM/PAPERS/GIT-HORROR-STORY

    View full-size slide

  5. WHAT'S THE PROBLEM?

    View full-size slide

  6. WHO WROTE THIS?

    View full-size slide

  7. MORE DANGEROUSLY

    View full-size slide

  8. SOMEWHERE IN THE MIDDLE!

    View full-size slide

  9. THIS WAS REAL

    View full-size slide

  10. WOULDN'T THIS BE BETTER?
    UNVERIFIED

    View full-size slide

  11. GIT COMMIT SIGNING

    View full-size slide

  12. GIT 1.7.9 (JANUARY 2012)

    View full-size slide

  13. You've probably seen it

    View full-size slide

  14. You've probably seen it

    View full-size slide

  15. IT'S JUST PGP

    View full-size slide

  16. AND IT COMES BUILT INTO GIT

    View full-size slide

  17. YOU CAN SIGN COMMITS

    View full-size slide

  18. YOU CAN SIGN TAGS

    View full-size slide

  19. IT MOSTLY JUST WORKS

    View full-size slide

  20. HOW TO INSTALL

    View full-size slide

  21. • brew install gpg
    • gpg --full-generate-key
    • git config --global user.signingKey MYKEYID
    • git config --global commit.gpgsign true

    View full-size slide

  22. HTTPS://HELP.GITHUB.COM/ARTICLES/
    SIGNING-COMMITS-WITH-GPG/

    View full-size slide

  23. HTTPS://KEYBASE.IO/MATTHEWRUDY

    View full-size slide

  24. VERIFY YOUR CODE

    View full-size slide

  25. VIEW THE SIGNATURES

    View full-size slide

  26. GIT VERIFY-COMMIT
    Unsigned
    Unverified
    Verified

    View full-size slide

  27. STICK IT ON YOUR CI

    View full-size slide

  28. EXAMPLE FAILURE

    View full-size slide

  29. THERE ARE BUGS

    View full-size slide

  30. TOOLING COULD BE BETTER

    View full-size slide

  31. INTEGRATION COULD BE BETTER
    UNVERIFIED
    UNSIGNED

    View full-size slide

  32. SECURITY IS HARD!!!

    View full-size slide

  33. SECURITY IS HARD!!!
    What if someone breaks into your laptop?
    What if you don't notice a malicious change?
    What if someone hacks github?
    How do you expire an old key?
    What if a trusted employee goes rogue?
    What if someone compromises your CI?
    What if someone has a quantum computer?

    View full-size slide

  34. TRUSTING THE COMMITTER
    ==
    TRUSTING THE CODE?

    View full-size slide

  35. ADOPTION IS PRETTY LOW

    View full-size slide

  36. BUT ITS QUITE EASY

    View full-size slide

  37. ITS VALUE DEPENDS ON YOUR
    BUSINESS

    View full-size slide

  38. WHY NOT TRY?

    View full-size slide